Postfix & SASL Authentication
ggroth at gregs-garage.com
Tue Aug 8 14:52:24 UTC 2006
On 8/8/2006 9:20 AM, Gerard Seibert wrote:
> FreeBSD 6.1 STABLE
> I have SASL and Postfix installed and for the most part they seem to
> work all right together. However, there is one small problem.
> When attempting to send a message from one of the PC's on the network,
> actually any PC on the network except for the one with Postfix installed
> on it, this error message is inserted into the maillog file.
> Aug 8 10:11:32 scorpio postfix/smtpd: connect from boss.seibercom.net[192.168.0.4]
> Aug 8 10:11:32 scorpio postfix/smtpd: warning: SASL authentication failure: no user in db
> Aug 8 10:11:32 scorpio postfix/smtpd: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, sasl_username=gerard at seibercom.net
> All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning.
Which version of SASL? v1 or v2?
The following is based on ym experience with v2, and I don't know if it
applies to v1 or not.
As far as the message in you log file, it's attempting to authenticate,
but it's not connecting to the user database to verify the user. More
than likely it's allowing you to send mail from the local server because
you have Postfix configured to allow it to relay mail from localhost,
and that this is allowing you to send the email even though
authentication is failing.
To determine which authentication methods Postfix will accept, telnet to
localhost on port 25 and issue a EHLO:
mail# telnet localhost 25
Connected to localhost.domain.com.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix
250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
In this instance, the AUTH line dictates which authentication mechanisms
Postfix will accept. In this case: NTLM LOGIN PLAIN GSSAPI DIGEST-MD5
Check your /usr/local/lib/sasl2/smtpd.conf file and make sure that you
have the correct auth mechanism listed. For plain text login that's
verified against your existing users, your smtpd.conf file would read as
This will verify against your existing user accounts. There are other
methods, such as pwcheck_method: sasldb, that will verify against
SASL's own password database, which I've never used.
Make sure that you have saslauthd running (which it appears you do).
Issue the following:
# /usr/local/sbin/testsaslauthd -u username -p password
0: OK "Success."
If saslauthd is operating correctly, you'll recieve the OK "Success."
If not, your problem is with saslauthd.
If your AUTH line does not list the right AUTH mechanism, the problem is
with Postfix. For instance, if you're trying to use SMTP-AUTH from a
client on your network, and have pwcheck_method: saslauthd defined in
your smtpd.conf file, you have to have PLAIN LOGIN appear in the AUTH
line when telnetting.
More information about the freebsd-questions